The lack of a recent newsletter has probably got you thinking that the listis broken or that I've stopped writing them, but the reason is that DavidSolomon and I have been hard at work on the next edition of "Inside Windows2000". It's entitled, "Windows Internals" and will cover Windows 2000,Windows XP, and Server 2003. We've made good progress and expect to have themanuscript complete in August for publication in October. In addition toreflecting changes to the OS, we've also expanded coverage in many areas,including security, crash dump analysis, startup and more. Look forresumption of regular newsletters once we've finished. That said, I'veincluded a Process Explorer tip that I think you'll find useful.

*USING PROCESS EXPLORER TO TRACK CPU USAGEIf you frequent Sysinternals, then you've seen Process Explorer gain majorenhancements in the last six months. Several make understanding a system'sCPU usage much easier than it is with Task Manager. In Task Manager, forexample, even processes consuming no CPU have text in the CPU column ("00"),which makes it difficult to distinguish them from processes using CPU. TaskManager also rounds CPU usage to the nearest whole number, which can hide ormisrepresent CPU usage. If a process is active every now and then, butconsuming less than 1% of CPU, it may still show up as "00". Finally, TaskManager attributes any CPU time used by interrupt processing to the "SystemIdle Process", making it impossible for you to identify a buggy driver orhardware that's making your machine sluggish.

Process Explorer makes it easy to see which processes are using CPU at aglance because it only displays numbers for those with non-zero CPU usageand its option to view fractional CPU more accurately displays CPU usage. Italso shows interrupt (hardware interrupt) and deferred procedure call (DPCs- software interrupt) activity as pseudo-processes.

However, even with fractional CPU there are almost always processes that areconsuming your CPU, but not shown as doing so. The reason for that is due tothe way that Windows does its time accounting. Periodically (every 10 ms onmost systems) a clock interrupt fires. In response the Windows clockinterrupt routine executes and assumes that whatever thread is currentlyrunning is the one that's used the CPU since the last clock interrupt. 10 msis a long time on today's multigigahertz CPUs and many threads can executebetween clock interrupts, but never be seen by the clock interrupt routine.

Another way to determine process execution, therefore, is to examine thenumber of context switches that the threads in a process have incurred. Whena thread is selected to run (scheduled), its context switch count isincremented.. You can see the total number of context switches that haveoccurred in each process by adding the Context Switch column (click onView->Select Columns). But a more interesting number is the Context SwitchDelta column. This displays the number of context switches that have occurin each process in between Process Explorer's refresh interval (which bydefault is 1 second).

So, for a very different view of process activity on your system, add theContext Switch Delta column and sort by it. You will see many processes withthreads that are running that do not show up as consuming any CPU time,because the threads are running in between the 10ms clock interval. Some ofthese processes are performing needless polling (such as querying theregistry or checking for changes in a folder). That is just plain sloppyprogramming. Others may be performing useful work, but are running "underthe radar" of the system's time accounting mechanisms. It's your job todetermine the wheat from the chaff.

Come see me speak at either Microsoft TechEd US and Europe, where one of mysessions, "Windows and Linux: A Tale of Two Kernels", compares the currentLinux kernel and Windows kernels. At TechEd US I'm also presenting "AdvancedWindows Troubleshooting with Sysinternals Process Explorer", where I'll giveyou tips on getting the most from Process Explorer. At TechEd Europe my"Effective Windows Troubleshooting with the Sysinternals Tools" shows theuse of Process Explorer, Regmon and Filemon to solve real-world problems,and "Troubleshooting Windows Boot and Startup" teaches you mechanisms andtechniques for getting an unbootable system running again.

This is the same class we teach to Microsoft employees around the world. Itcovers the internals of processes & threads, thread scheduling, memorymanagement, security, the registry, and I/O system. Delve into mechanismssuch as system threads, system call dispatching, interrupt handling, &startup & shutdown. Learn advanced troubleshooting techniques using theSysinternals tools and how to perform crash dump analysis. By understandingthe inner workings of the OS, you can take advantage of the platform moreeffectively and more effectively debug and troubleshoot problems.

NOTE: London and Austin classes are lecture only. San Jose class is hands-on(bring your own laptop-configuration details are provided).